CESA-2008-007 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Browser SVG / canvas design error

Programs affected: Webkit nightly
Severity: Cross-domain image theft; possibly worse
Note: Releasing immediately as no production browser appears affected. By releasing this now, I'm hoping things will stay that way as the browsers implement this area of technology.

There exists a combination of modern browser features which is difficult to implement securely; or more accurately, easy to implement without fully appreciating the security concerns:

The attack proceeds thus: Normally, the attack would be blocked by a security check on the canvas object, which denies getImageData etc. if a different-domain image has been rendered to the canvas. This check is bypassed by hosting the loaded SVG image same-domain, and having it indirectly refer to the different-domain image.

The different browsers stack up like this:

More worrying possibilities exist, although I wasn't able to get them to work with brief experimentation. One possibility is to use <html:iframe> to completely break the same origin policy. It's not clear whether Webkit nightly was saved by design, chance or my failure to win a race condition in SVG rendering.

CESA-2008-007 - rev 1
Chris Evans